February 22, 2010, 12:54 PM — The Lower Merion School District in Pennsylvania is getting a crash course--trial-by-fire style--on the limits of what is acceptable when monitoring computer activity. The facts are still being worked out, and investigations and lawsuits are still pending, but there are some lessons to be learned here for conducting an effective--and legal--monitoring program.
1. Disclosure. One of the most important steps in separating "monitoring" from "spying" is to establish what is acceptable, and provide some advanced notice that computer activity and communications could be monitored.
In general, there is no need to specify how or when the monitoring might be done. A disclaimer that the company reserves the right to monitor activity is more or less standard. However, the ability to enable the webcam on a laptop in the individual's home without their knowledge or consent is outside of the gray area--it crosses from diligent monitoring to creepy spying real quick.
2. Discretion. Even if monitoring has been disclosed as a possibility, some controls should be in place regarding how and when monitoring is conducted (especially for equipment like laptops that are also used in the home), as well as which individuals have the authority to conduct monitoring, or access data gathered through monitoring.
While the company may be within its legal rights in monitoring network and computer activity of employees, the privacy rights of employees engaged in illicit or questionable activities could still be violated if those actions are broadly disclosed to peers, managers from other departments, or other parties that have no stake or interest in the employee's productivity.
3. Personal Use. The jury, or in this case the Supreme Court of the United States, is still out on this issue, but based on the case of Ontario, CA police officers suing the Ontario police department, the company's right to monitor its network and equipment could be superseded by an implied expectation of privacy when personal use is also authorized.
Essentially, the company does have the right to monitor the communications and activities on its network and company-issued equipment. However, when the company also specifies that employees are allowed to conduct personal business and communications using company-issued equipment it gets a little murky whether or not that permission comes with an expectation of privacy.